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Apparatus and method for negotiating network parameters 



Technical field of the invention 

The present invention relates to an apparatus and method for negotiating network 
parameters for distribution of media between a client temiinal and a server. More in 
detail the invention relates to means and metbods for traversing a firewall which is 
utilising translation of network addresses. 

Background of the invention 

Today, so-called firewalls, shields or other types of protective security an angements 
are connected to almost every computer system and communication network. Such 
security arrangements are necessary for preventing from undesired intrusion into the 
computer system or network. An attack jfrom outside with the purpose of destruc- 
tion, or a computer vims that manages to pass security arrangements and reach the 
interior of a computer system may cause serious damage to it. The damage applies 
not only the internal computer network or a residential computer system, but also to 
various electronic equipment related to it As an altemative to an ordinary firewall, 
the user of a client terminal in a network may have a so-called network address 
translator, NAT, between his part of the network and the external network. The ar- 
rangement provides an additional obstacle for external users who want to obtain in- 
fomiation about the IP-addresses that are present behind the NAT arrangement and 
in addition to that, the arrangement provides the user with a sufficient number of IP- 
addresses within his internal network. 



A firewall can do address translation to protect internally used IP-numbers fi:om 
being seen outside of the firewall. This translation changes the network IP informa- 
tion relating to port numbers assigned for the media flow and thus re-directs the me- 
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dia transport. The IP infonnation is used by servers that manage e-meetings or other 
media distribution services to identify cUent terminals. 

One solution to the problem of how to enable traffic to and from client temiinals 
and servers with an intemiediate firewall or other protective arrangement is to insert 
a specific media proxy server in association witli the communication server. How- 
ever, tliis is both complicated and costly and hence, fliere is a need for an improved 
solution to the problem. 

Summary of the invention 

It is therefore an object of the present invention to alleviate the previously men- 
tioned shortcomings of prior art associated with group communication services and 
provide a generally applicable solution. This is accomplished by an apparatus and a 
metliod for real-time data communication comprising a sending client terminal and 
at least one receiving client terminal, the client terminals being provided with pro- 
tective means, the real-time data communication transmitted via an intermediate 
distribution server, the protective means being provided with a network translation 
unit for mapping one internally accessible network destination address with a corre- 
sponding externally accessible network destuiation address, 
characterised in that 

the sending client terminal and the intermediate distribution server are 
adapted to exchange information between one another about the current mapping 
destination addresses for the server to access the receiving client terminal with real- 
time data communication. 

By means of the present invention, negotiation is carried out between a server and a 
client terminal to propagate the network IP information required for real-time media 
communication. This is done by direct communication between the client terminal 
and server using a computer communication protocol connection for transmission of 
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network information in cases when the network address translation is not required. 
The client terminal and intermediate communication server are adapted to exchange 
information about network parameters in order to be able to identify the mapping 
structure between the client's temiinal view of the network parameters and the 
5 server view after that the data has passed the network address translation unit. The 
mapping information is subsequently used for identifying the client teraiinal at the 
server as well as informing the server about where to send the real-time media for it 
to reach the receiving client. 

1 0 Brief description of tfie drawings 

The features, objects, and further advantages of this invention will become apparent 
by reading this description in conjunction wilh the accompanying drawings, in 
which like reference numerals refer to like elements and in which: 

15 

Fig 1 illustrates a schematic overview of the means required for transmitting a me- 
dia stream of data according to the present invention. 

Fig 2 is a schematic illustration of the mapping of network addresses when trans- 
20 mitting a media stream of data according to the present invention, 

Detaiied description 

The following description is of the best mode presently contemplated for practising 
25 the invention. The description is not to be taken in a limiting sense, but is made 
merely for the purpose of describing the general principles of the invention. The 
scope of the invention should be ascertained with reference to the issued claims. 



30 



With reference to Fig 1, a sending client terminal 10 is connected to tlie receiving 
chent terminal 20. The conjiection is preferably made between the sending client 
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terminal and the receiving client terminal via an intermediate communication server 
30, which is adapted to direct or forward communication data from any sending 
communication terminal to another receiving communication terminal. A protective 
means 12, 22 is arranged in in-between each of the chent terminals and the data dis- 
5 tributing computer network for protecting the client terminals from harmfiil intru- 
sion, such as computer viruses or other damaging and network distributed attacks to 
which the cHent terminal can be exposed. One kind of protective means is a soft- 
ware-based firewall arrangement or another computer protection means such as a 
virus shield. The sending and receiving client terminals may comprise any electronic 
10 equipment used for communication purposes, such as a personal computer or other 
type of mobile communication terminal including palmtops, mobile telephones, con- 
soles and electronic organising tools. 

In accordance with one embodiment, which is depicted in Fig 2, the general ftmction 
15 of a network addi-ess translator is the following: a client terminal A is to establish 
communication with another chent terminal B. Client terminal A is protected by a 
furewall and/or a network address translator C. Client terminal B pays attention to 
signals that are input on its port number "x". When executing the signalling, client 
temiinal A is about to transmit a signal from port number "y" to client B's port 
20 number "x". However, the firewall and/or network address translator an-angement C 
restrains tliis packet and re-transmits it from a port number "z" of the protective 
means C to port number "x" of the client terminal B. Now, there has been estab- 
hshed a state in the firewall and/or network address translator C with a mapping of a 
port on the external side from port "z" of the protective means C to port "y" of client 
25 terminal A, i.e. client terminal B now transmits data to port "z" and the firewall 

and/or network address translator translates this to port "y" of client terminal A. In 
order to maintain the allow return mode, client terminal A must continuously trans- 
mit information to client terminal B through the firewall and/or network address 
translation arrangement C. 
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More in detail, and also wifli reference to Fig 2, the function of a certain network 
address translator arrangement in accordance with the present invention is as fol- 
lows: the first step is client termmal A and client terminal B exchanging a secret 
piece of information, a so-called key, which may be a large and randomly chosen 
5 number treated as secret infomiation, Cr. This is done via a mechanism, such as en- 
crypted and therefore secure HTTP (HTTPS). For clarity reasons although known 
by tlie skilled person, HTTP means hypertext transfer protocol and this protocol is 
the currently used standardised format for transmitting web infomiation. This secret 
infomiation is transmitted over TCP in a secure transport mode so as to make sure 

10 that the infomiation reaches its intended recipient. Next step for client terminal A is 
to initiate communication with client terminal B via port "x" of client terminal B. 
Client tenninal A transmits data from port "y" via the network translation arrange- 
ment C. The arrangement C forwards data to client terminal via its port "z". Data is 
now flowmg from client tenninal B to client terminal A by means of chent terminal 

15 B transmitting data to port "z" of the network translation arrangement C which in its 
turn translates this data to port "y" of client terminal A. At this stage of the trans- 
mission, client terminal B transmits a request to client terminal A to encrypt an ar- 
bitrary word "whatever'* by utilising its secret key Cr, which is the same as previ- 
ously mentioned, and then transmits the encrypted arbitrary word "whatever" to cli- 

20 ent terminal B. Client temiinal B, which is also in possession of the secret key Cr 
does the same and provided the results of the two encrypted words are equal, trans- 
mitted information in the form of data traffic from client teraiinal A via the network 
translation arrangement C to client terminal B is acknowledged as being correct. 
That means further data traffic can be exchanged between client terminal A and cli- 

25 ent terminal B. 

By applying the above described function on the apparatus of Fig 1, the more de- 
tailed description therefore yields the following interpretation of the illustration: 
Two cormnunication client terminals 10, 20 which are both situated behind network 
30 translation arrangements 12, 22. Communication between the two client terminals 
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must be established via a third party, which may include any kind of communication 
means 30, such for example a cormnmiication server or a portal. The first steps for 
establishing a functional communication chamiel between the communication client 
teimmals 10 and 20 are carried out in parallel between the individual clients 10 and 
20 respectively, and on the other side the communication means 30. As soon as the 
communication chamiels 10-30 and 20-30 respectively are established, client termi- 
nals 10 and 20 can communicate with each otlier by transmitting data via the com- 
munication means 30. 

The above described procedure and function has similarities with the cryptologically 
known method of challenge response. Moreover, the arbitrary word "whatever" 
consists of entirely arbitrary sjmibols which does not necessarily have a meaning or 
is a known word. 

A protective means, such as a firewall, is often arranged in a way that it allows traf- 
fic to enter into a protected zone only on condition that corresponding traffic has 
been transmitted out of that protected zone. For a situation when the communication 
channel has not been utilised for a period of time, the state of a firewall changes 
from a data pemieable open mode to a locked mode. Other kinds of features associ- 
ated with firewalls are the described network address translation. 

Over the data connection is distributed any type of media information, such as 
streaming video, IP-telephony comucnunication data or synchronous real-time com- 
munication data. 

In accordance with the present invention, software is developed hi parallel with the 
method of transmitting and acknowledging a media stream of data. The software re- 
sides in a memory associated with the means for transmitting and aclaiowledging 
according to Fig 1 . The software is designed for instructing the hardware to carry 
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out the sequential method steps previously described in this document with particu- 
lar reference to Fig 2 and the method claims. 



